Safe(r) Web Browsing presentation
Download
Report
Transcript Safe(r) Web Browsing presentation
Safe(r) Web Browsing
IT Security Roundtable
April 9, 2010
Harvard Townsend
Chief Information Security Officer
[email protected]
Agenda
“The Internet is a bad neighborhood.”
The dangers of web browsing
Helpful features built into web browsers
Tools you can add to your web browsers
Trend Micro is your friend
Misc. cautions/tips/tricks
Q&A
2
The Risks
Computer infected with malicious software
(malware)
Stolen, altered, and/or deleted K-State or
personal information (do you have SSNs on your
computer?)
Identity theft
Financial fraud – stolen credit card and/or bank
account information
Your computer is used to send spam
Your computer stops working because of damage
done by the malware
Your computer is used to infect other computers
Your computer’s network access is blocked by
the security team to prevent further damage
3
The Threats
Malicious links/sites – to click or not to
click, that is the question.
Malicious advertisements
Drive-by Download (don’t even have to
click!)
Search engines tricked to present
malicious/bogus result near the top of
your search results (aka Blackhat Search
Engine Optimization (SEO) Poisoning)
4
Real K-State Federal Credit Union
web site
Fake K-State Federal Credit Union
web site used in spear phishing scam
5
Spear phishing scam received by K-Staters in January 2010
6
The malicious link in the email took you to an exact replica
of K-State’s single sign-on web page hosted on a server in the Netherlands
which will steal your eID and password if you enter it and “Sign in”.
Note the URL highlighted in red – “flushandfloose.nl”, which is obviously
7
not k-state.edu
Fake SSO
web page
Real SSO
web page
8
Fake SSO
web page –
site not
secure (http,
not https) and
hosted in the
Netherlands
(.nl)
Real SSO
web page –
note “https”
9
Can I click on this?
Watch for displayed URL (web address) that does
not match the actual
displayed: http://update.microsoft.com/microsoftupdate
actual:
http://64.208.28.197/ldr.exe
Beware of link that executes a program (like ldr.exe
above)
Avoid numeric IP addresses in the URL
http://168.234.153.90/include/index.html
Some even use hexadecimal notation for the IP:
http://0xca.0x27.0x30.0xdd/www.irs.gov/
Watch for legitimate domain names embedded in
an illegitimate one
http://leogarciamusic.com/servicing.capitalone.com/c1/login.aspx/
10
Can I click on this?
Beware of email supposedly from US
companies with URLs that point to a non-US
domain (Kyrgyzstan in example below)
From: Capital One bank <[email protected]>
URL in msg body: http://towernet.capitalonebank.com.mj.org.kg/onlineform/
IE8 highlights the actual domain name to help
you identify the true source. Here’s one from
an IRS scam email that’s actually hosted in
Pakistan:
11
Can I click on this?
Beware of domains from unexpected foreign
countries
Kyrgyzstan: http://towernet.capitalonebank.com.mj.org.kg/onlineform/
Pakistan: http://static-host202-61-52-42.link.net.pk/IRS.gov/refunds.php
Lithuania: http://kateka.lt/~galaxy/card.exe
Hungary: http://mail.grosz.hu/walmart/survey/
Romania: http://www.hostinglinux.ro/
Russia: http://mpo3do.chat.ru/thanks.html
MANY scams originate in China (country code =
.cn)
Country code definitions available at:
www.iana.org/domains/root/db/index.html
12
Can I click on this?
Analyze web links w/o clicking on them by
copying the URL and testing them at these
sites:
Trend Micro’s Web reputation query –
reclassify.wrs.trendmicro.com/wrsonlinequery.aspx
McAfee SiteAdvisor (enter URL on this web
page – you don’t have to install their software):
www.siteadvisor.com/
13
Can I click on this?
Watch for malicious URLs cloaked by URL
shortening services like:
TinyURL.com
Bit.ly
CloakedLink.com
14
Can I click on this?
TinyURL has a nice “preview” feature that
allows you to see the real URL before going to
the site. See tinyurl.com/preview.php to enable
it in your browser (it sets a cookie)
Bit.ly has a Firefox add-on to preview shortened
links:
addons.mozilla.org/en-US/firefox/addon/10297
It also warns you if the site appears to be
malicious:
15
Can I click on this?
16
Malicious Advertisements
Major ad networks (aka “ad
aggregators”) affiliated with Google
(e.g. Doubleclick.com), Yahoo
(yieldmanager.com), Fox and others,
covering more than 50% of online ads,
have been infiltrated with “poisoned
ads” containing malicious code
(Source: Avast!)
Happened to the New York Times
website last fall
17
NY Times incident
Ad placed via phone call from person posing as
Vonage, an intl phone company and regular
advertiser on NY Times web site
Since Vonage well known, they allowed ads to
be served by remote 3rd party host (i.e., not
the NY Times web server)
Legitimate Vonage ads displayed all week
During the weekend, legitimate
ad switched to a malicious one
that served up fake antivirus
scareware which tried to get
people to buy bogus security
software with a credit card
18
Malicious Advertisements
Isn’t just NY Times…
ratemyprofessors.com (!!)
msnbc.msn.com
health.msn.com
music.msn.com
astrology.msn.com
realestate.msn.com
usatoday.com
cnbc.com
digg.com
mail.live.com
addictinggames.com
foxsports.com
hollywoodreporter.com
These legitimate sites are not in cahoots with the criminals,
they’re just not careful enough in screening ads from third
party ad networks
19
Drive-by Downloads
The scary thing is you don’t even have to click on
anything – just visiting a site with malicious code
can initiate a download that installs malware on your
computer without you knowing it.
Symantec claims every one of the top 100 websites
in the world have served up malicious code at some
point
JavaScript in the ad executes when the page is
loaded and tries to exploit a vulnerability in Adobe
PDF reader, Java, or Flash… or all three; this is why
a tool like NoScript or something that blocks ads is
effective
20
Drive-by Downloads
Commonly used to promote fake antivirus software
(aka “scareware” or “extortionware”) – make you
believe your computer is infected with lots of
malware, enticing the nervous user to “Click Here”
to buy fake security software for $30-$100, plus they
steal your credit card information
Can be used to infect your computer with any
malware – keyloggers, Trojans, Torpig, …
Malware changes at a very rapid rate to escape
detection by AV software; hackers test their
malware against 40 popular AV products at
virustotal.com before launching
21
Search Engine
Poisoning
Search engines, like Google, are tricked into
presenting a malicious link in the top 10
results for popular searches
Known as “Blackhat Search Engine
Optimization (SEO) Poisoning”
13% of Google searches for popular or trendy
topics yield malicious links
Currently used mostly for fake antivirus scams
Exploit current events, popular topics
January 2010 an all-time high with hackers
capitalizing on Haitian earthquake, release of
movie Avatar, and announcement of the iPad
22
Blackhat SEO
Poisoning
Search for
“Oscars 2010 winners”
Malicious pages
that infect with
FakeAV scareware
Source: Sophos security blog March 8, 2010
23
Blackhat SEO
Poisoning
Examples of exploited topics in 2010:
Tiger Woods car wreck, affairs
Death of Patrick Swayze
Affair of Sandra Bullock’s husband with Michelle “Bombshell”
McGee
Rumored death of Bill Cosby (pretty common to make up a
sensational hoax)
Chilean earthquake
Moscow subway explosions
Plane crashing into IRS building in Austin, TX
Sea World killer whale attack
Sentencing of TJX hacker
Oscars
Kids’ Choice Awards
Olympics (esp. death of Georigian luge athlete)
March Madness basketball tournament
April Fools Day (a natural…)
24
Blackhat SEO
Poisoning
How does it work?
Legitimate web server compromised (often due to
a vulnerability in a content management system)
and SEO poisoning code loaded (usually a PHP
script)
When the PHP script determines a search engine
“crawler” (Google, Bing, MSN, Yahoo, AOL, etc.) is
making the request for the web page, it returns
content filled with lots of info appropriate for the
event it’s trying to mimic (keywords, phrases, other
high-ranking URLs about the event, images and
videos copied high-ranking sites)
They’ll also harvest search engine results to extract
popular phrases used to search hot topics (ie, they
let the search engines do the research for them!)
25
Blackhat SEO
Poisoning
How does it work?
When PHP code determines it is a user, not a
search engine, visiting the site, it redirects
them to a malicious site to try to infect their
computer or just pop-up bogus security
warnings and try to get them to buy the fake
antivirus software (i.e., you’re not always
infected when you’re tricked into clicking on the
link)
The redirection domain name can change as
often as every 10 minutes, based on
instructions from a “command & control” server
making it harder to identify
26
Blackhat SEO
Poisoning
How do I prevent it?
Be paranoid – think before you click!
Pay attention to the link – only visit reputable sites
Pay attention to warnings from anti-phishing filters,
Trend Micro WRS, and
other tools you might use
to detect malicious links
(see later slides)
If you click on a search
result and security warnings
like this pop-up, do NOT
click on anything – contact
your IT support person
27
Blackhat SEO
Poisoning
How do I prevent it?
Run antivirus software and keep it up-to-date
(required to use Trend Micro on campus)
Keep ALL software patched, including the
web browsers and plug-ins, Adobe products,
Flash, and Java
VERY challenging for IT staff, let alone your
average user
Recent study found that average home user would
have to patch 75 times per year (once every 5
days!) using 22 different patching mechanisms
28
What’s a feller to do?
If you’re not scared by
now, then I’m worried
about you and I pity
your IT support person
29
Browser features – IE8
Domain highlighting
SmartScreen filtering – block access to
malicious sites and file downloads
30
Browser features – IE8
Pop-up blocker- if it
causes a problem
with an application,
add a specific
exception; don’t turn
off the pop-up
blocker
If you don’t see a
malicious pop-up
message, you won’t
be duped by it.
31
Browser features – IE8
InPrivate Browsing – good if using a
public computer in a lab or Internet Café
since it leaves no trace of your browsing
activity. The cache (“temporary Internet
files” which are local copies of content
from web sites you visited recently),
cookies, and browser history (web
address of sites you visited recently) are
not stored.
32
Browser features - Firefox
Anti-phishing and anti-malware
protection – detects and blocks access
to known malicious sites and
downloads
33
Browser features - Firefox
Pop-up Blocker
Similar to IE; add exceptions at
Tools->Options->Content
Private browsing – cache, cookies, and
history not saved, just like “InPrivate
Browsing” in IE
Instant Website ID – provides detailed identity
information, if available, about the site:
34
Browser add-ons
NoScript from noscript.net
Extension for Firefox (not available for IE)
Prevents execution of JavaScript, Java, and
Flash – the most common culprits for web-based
attacks
Can selectively allow trusted sites
Often able to view content of interest without
enabling all scripts – you don’t need to see the
ads or that cute Flash animation!
Takes some getting used to and it takes a while
to build up the exceptions for trusted sites so it’s
not always getting in the way of your productive
use of the web
35
Browser add-ons
Web of Trust from www.mywot.com
Available for Firefox,
IE, Google Chrome
Rates web sites on
Trustworthiness
Vendor reliability
Privacy
Child safety
Warns you if about to visit a poorly rated site
Tags ratings in Google search results, which is really
helpful for detecting Blackhat SEO Poisoning
Also tags links in web-based email like K-State’s Zimbra
Webmail and Gmail
Provides user comments about the site and its rating
36
Browser add-ons
Adblock Plus from adblockplus.org
Again, only for Firefox (IE is not nearly as
extensible as Firefox!)
I haven’t used this tool but others have
recommended it for blocking
advertisements
Some have argued against blocking ads
since they provide the revenue that
allows so much free content on the web
37
Help from Trend Micro
Web Reputation Services (WRS)
Blocks access to known disreputable
sites
Enabled in both Windows and Mac
versions
K-State IT security team regularly reports
new malicious links to Trend to add to the
block list
Also provides traditional “antivirus”
malware protection
38
Trend Micro WRS is
your friend
39
Recognizing Fake
Antivirus Alerts
Actual pop-up alert from Trend Micro OfficeScan:
40
Recognizing Fake
Antivirus Alerts
Example of a Fake AV “scareware” alert that tries trick you into
buying worthless software to fix a non-existent infections:
41
Misc. Tips/Tricks
Use a Mac
Firefox vs. Internet Explorer (IE)?
Stay away from questionable sites
Both have vulnerabilities
Both have helpful security features
ActiveX in IE historically been a security concern but is less of a
target these days
If you use IE6 or IE7, upgrade to IE8 because of significant
security improvements plus application compatibility
Pornography
Gambling
Some gaming sites
Peer-to-peer file sharing applications are dangerous since
they too have been infiltrated with malware; the movie you
download may also have malware attached to it that will infect
42
your computer when you try to run the movie.
Misc. Tips/Tricks
“… because that’s where the money is.” Willie Sutton, famous 19th century
bank robber on why he robs banks
Beware of where you do your online banking – cybercriminals
are actively hunting you online and targeting your computer
because “that’s where the money is”
49 instances of Torpig malware at K-State thus far in 2010, 34
in 2009 – steals username/passwords and banking info
The American Bankers Association recommends using a
dedicated computer for online banking since malware typically
gets on a computer via web surfing or email
A low-end $500 PC or netbook good for this, or re-purpose the
old computer when you upgrade
Make sure your banking computer is protected with a strong
password
At the very least, don’t do online banking on the same home
computer your children (and their friends) use!
43
Misc. Tips/Tricks
Risks of social network sites
People tend to reveal too much personal
information
Pay careful attention to the security
configurations, esp. for privacy
Beware of third party applications and
advertisements
Beware of unusual friend requests
Application whitelisting (specify the
programs that can run on the computer –
everything else is prohibited)
44
Misc. Tips/Tricks
Remove administrator rights from users
Recent study of 2009 Microsoft security vulnerabilities claims
removing administrator rights would prevent exploitation of:
With admin privileges, hacker can:
90% of the “critical” vulnerabilities found in Windows 7
100% of the 55 vulnerabilities found in Microsoft Office
100% of Internet Explorer 8 vulnerabilities
94% of the vulnerabilities in all versions of IE
81% of all critical vulnerabilities announced/patched by Microsoft
in 2009
Install or remove/disable any software
Change security settings, disable AV software
Create new accounts
View/copy/change/delete all files
Have complete control of the computer
Running as a regular user limits the damage to that user’s
account
Create a separate regular user account for your children
on your home computer(s)!!
45
Misc. Tips/Tricks
Don’t let your browser store/remember
important passwords like:
eID
Financial accounts
38% of bank account or
username/password information stolen
by Torpig malware came from the
browser’s password store on the
compromised computer
Password-protect the browser password
store
46
Misc. Tips/Tricks
Don’t keep yourself logged into
important accounts
Similar to letting the browser
store username/password;
effect is the same – anyone
with access to the computer
has access to those accounts
Never do either on a public computer
47
Misc. Tips/Tricks
Use a password manager
Windows: Password Safe - pwsafe.org
Macs: Password Gorilla www.fpx.de/fp/Software/Gorilla/
Many useful features, easy to use
Also available for Windows and Linux
Can read Password Safe database
Multi-OS and multi-computer: LastPass lastpass.com
Passwords stored on server so can access them
from multiple computers
Premium version @ $1/month provides mobile
device support (iPhone, Blackberry, Android,
etc.), no ads, and multi-factor authN support
48
Conclusion
There’s no way to be 100% secure surfing the
web these days
Use multi-faceted approach to reduce your
risk (browser security features, browser addons, Trend Micro security software, educate
yourself)
These tools and techniques make your
browsing experience less convenient and may
frustrate you at times, but they are necessary
in today’s hostile online climate
Think before you click!
49
What’s on your mind?
50